Re: CSP formal objection. from Mike West on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 10:54:27 +0100
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAKXHy=cs-fpCnRV869VrLuoWnGOzUkhcR0ZhubiE7Mwo79UKTw@mail.gmail.com>

>
> The spec should not declare reporting as opt-in or opt-out. It should
> define a syntax for how sites can make their reporting URL known, and
> define the structure of those reports so sites can parse them. We can
> include non-normative notes on these tradeoffs and concerns, but it's up
> to each UA to decide if they want to default to sending reports or not,
> or whether they'd ask users each time (like the geolocation prompt, for
> example).
>

Everything else to the side, we do currently call out the 'referer' header
explicitly as something the user agent can restrict above and beyond what
the 'referrer' directive implies. Would it sufficiently address your
concerns to add a note along the lines of "Note: This specification should
not be interpreted as limiting user agents' ability to apply other
restrictions to limit data leakage via violation reports." to the
'report-uri' section of the spec?

-mike

Received on Wednesday, 12 February 2014 09:55:15 UTC